...
The shibboleth.authn.IPAddress.Transforms bean allows for address transformations before comparing them to the address ranges, essentially a kind of on-the-fly address translation. A transform is a Pair object containing a regular expression and a replacement expression.
Reference
| Localtabgroup |
|---|
localtab-live| Expand |
|---|
|
The beans defined in authn/ipaddress-authn-config.xml follow: Bean ID | Type | Default | Description |
|---|
shibboleth.authn.IPAddress.Mappings | Map<String,List<IPRange>> | Empty Map | The entry values are a list of CIDR address range strings to map to the username in the entry key | shibboleth.authn.IPAddress.Transforms | List<Pair<String,String>> | | Pairs of regular expressions and replacement expressions to apply to the username | shibboleth.authn.IPAddress.resultCachingPredicate | Predicate<ProfileRequestContext> | | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session | shibboleth.authn.IPAddress.addDefaultPrincipals
| Boolean | true | Whether to add the content of theĀ supportedPrincipals property of the underlying flow descriptor to the resulting Subject |
| Localtab live |
|---|
| active | true
|---|
| Expand |
|---|
|
The beans defined in authn/ipaddress-authn-config.xml follow: Bean ID | Type | Default | Description |
|---|
shibboleth.authn.IPAddress.Mappings | Map<String,List<IPRange>> | Empty Map | The entry values are a list of CIDR address range strings to map to the username in the entry key | shibboleth.authn.IPAddress.Transforms | List<Pair<String,String>> | | Pairs of regular expressions and replacement expressions to apply to the username | shibboleth.authn.IPAddress.resultCachingPredicate | Predicate<ProfileRequestContext> | | An optional bean that can be defined to control whether to preserve the authentication result in an IdP session |
|
| Expand |
|---|
|
The general properties configuring this flow via authn/authn.properties are: Name | Default | Description |
|---|
idp.authn.IPAddress.order | 1000 | Flow priority relative to other enabled login flows (lower is "higher" in priority) | idp.authn.IPAddress.nonBrowserSupported | true | Whether the flow should handle non-browser request profiles (e.g., ECP) | idp.authn.IPAddress.passiveAuthenticationSupported | true | Whether the flow allows for passive authentication | idp.authn.IPAddress.forcedAuthenticationSupported | false | Whether the flow supports forced authentication | idp.authn.IPAddress.proxyRestrictionsEnforced | %{idp.authn.enforceProxyRestrictions:true} | Whether the flow enforces upstream IdP-imposed restrictions on proxying | idp.authn.IPAddress.proxyScopingEnforced | false | Whether the flow considers itself to be proxying, and therefore enforces SP-signaled restrictions on proxying | idp.authn.IPAddress.discoveryRequired | false | Whether to invoke IdP-discovery prior to running flow | idp.authn.IPAddress.lifetime | %{idp.authn.defaultLifetime:PT60S} | Lifetime of results produced by this flow | idp.authn.IPAddress.inactivityTimeout | %{idp.authn.defaultTimeout:PT60S} | Inactivity timeout of results produced by this flow | idp.authn.IPAddress.reuseCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> controlling result reuse for SSO | idp.authn.IPAddress.activationCondition | shibboleth.Conditions.TRUE | Bean ID of Predicate<ProfileRequestContext> determining whether flow is usable for request | idp.authn.IPAddress.subjectDecorator | | Bean ID of BiConsumer<ProfileRequestContext,Subject> for subject customization | idp.authn.IPAddress.supportedPrincipals | (see below) | Comma-delimited list of protocol-specific Principal strings associated with flow | idp.authn.IPAddress.addDefaultPrincipals | true | Whether to auto-attach the preceding set of Principal objects to each Subject produced by this flow |
As a non-password based flow, the supportedPrincipals property defaults to the following XML: | Code Block |
|---|
| <list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
</list> |
In property form, this is expressed as: | Code Block |
|---|
idp.authn.IPAddress.supportedPrincipals = \
saml2/urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol |
SAML 1 does not define an AuthenticationMethod constant for this kind of authentication, so only a SAML 2 AuthnContextClassRef is applied. An "unspecified" method constant will be used with SAML 1 unless otherwise configured. localtab-live |
| Expand |
|---|
| title | Flow Descriptor XML (V4.1+) |
|---|
|
To replace the internally defined flow descriptor bean, the following XML is required: | Code Block |
|---|
<util:list id="shibboleth.AvailableAuthenticationFlows">
<bean p:id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
p:order="%{idp.authn.IPAddress.order:1000}"
p:nonBrowserSupported="%{idp.authn.IPAddress.nonBrowserSupported:true}"
p:passiveAuthenticationSupported="%{idp.authn.IPAddress.passiveAuthenticationSupported:true}"
p:forcedAuthenticationSupported="%{idp.authn.IPAddress.forcedAuthenticationSupported:false}"
p:proxyRestrictionsEnforced="%{idp.authn.IPAddress.proxyRestrictionsEnforced:%{idp.authn.enforceProxyRestrictions:true}}"
p:proxyScopingEnforced="%{idp.authn.IPAddress.proxyScopingEnforced:false}"
p:discoveryRequired="%{idp.authn.IPAddress.discoveryRequired:false}"
p:lifetime="%{idp.authn.IPAddress.lifetime:PT60S}"
p:inactivityTimeout="%{idp.authn.IPAddress.inactivityTimeout:PT60S}"
p:reuseCondition-ref="#{'%{idp.authn.IPAddress.reuseCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:activationCondition-ref="#{'%{idp.authn.IPAddress.activationCondition:shibboleth.Conditions.TRUE}'.trim()}"
p:subjectDecorator-ref="#{getObject('%{idp.authn.IPAddress.subjectDecorator:}'.trim())}">
<property name="supportedPrincipalsByString">
<bean parent="shibboleth.CommaDelimStringArray"
c:_0="#{'%{idp.authn.IPAddress.supportedPrincipals:}'.trim()}" />
</property>
</bean>
</util:list> |
In older versions and upgraded systems, this list is defined in conf/authn/general-authn.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed. |
...